RE: HSTS missing from HTTPS server on tomcat 8.0.27
Dear Harrie, We have already implemented the said configuration of filter. Still we are unable to implement HSTS. This configuration works absolutely fine on tomcat running running on windows, but in the case of unix we aren't able to achieve HSTS. Below are the steps followed by us: We have downloaded latest tomcat tar.gz from tomcat website, Deployed our application on it, Made above changes in conf\web.xml and then started tomcat. no error till this point. When i started VA testing on the server i get below error : Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character (CR or LF) found in method name at org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:228) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1010) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) and then VA test results show that HSTS is not configured. Please note that we followed the above steps for tomcat on windows and every thing is absolutely fine and even results of VA test don't contain HSTS information. Any help is greatly appreciated. From: "Harrie Robins" <har...@eyequestion.nl> To: "'Tomcat Users List'" <users@tomcat.apache.org> Date: 08-02-2016 20:51 Subject: RE: HSTS missing from HTTPS server on tomcat 8.0.27 Hello! Missing HSTS is not a vulnerability, as Mark pointed out, it is a feature. In your web.xml httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter hstsEnabled true hstsMaxAgeSeconds 31536000 hstsIncludeSubDomains true true This will NOT activate HSTS for your application, you will need to add this mapping as well (edit to needs and add to application): httpHeaderSecurity /* REQUEST Regards, Harrie -Original Message- From: dku...@ccilindia.co.in [mailto:dku...@ccilindia.co.in] Sent: maandag 8 februari 2016 15:50 To: 'Tomcat Users List' <users@tomcat.apache.org> Subject: HSTS missing from HTTPS server on tomcat 8.0.27 Hi, We are unable to fix the vulnerability of "HSTS missing from HTTPS server" on apache tomcat 8.0.27 while running on unix operating system. Below is the system configuration: OS Name: HP-UX OS Version:B.11.31 Architecture: IA64N Java Home:/opt/java8/jre JVM Version: 1.8.0.04-hp-ux-b2 JVM Vendor: Hewlett-Packard Company We have uncommented the httpHeaderSecurity in the filter tag of conf/web.xml file, but still the vulnerability exists. We have also tried with apache tomcat 8.0.30, but in vain. Any help to fix this vulnerability is appreciated. Thanks & Regards Deepak Kumar "Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments." - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org "Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'
Re: HSTS missing from HTTPS server on tomcat 8.0.27
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Deepak, On 2/9/16 6:28 AM, dku...@ccilindia.co.in wrote: > Dear Harrie, > > We have already implemented the said configuration of filter. > > Still we are unable to implement HSTS. This configuration works > absolutely fine on tomcat running running on windows, but in the > case of unix we aren't able to achieve HSTS. > > Below are the steps followed by us: > > We have downloaded latest tomcat tar.gz from tomcat website, > Deployed our application on it, Made above changes in conf\web.xml > and then started tomcat. no error till this point. When i started > VA testing on the server i get below error : Note: further > occurrences of HTTP header parsing errors will be logged at DEBUG > level. java.lang.IllegalArgumentException: Invalid character (CR or > LF) found in method name at > org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(Abstr actNioInputBuffer.java:228) > > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp1 1Processor.java:1010) > > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(A bstractProtocol.java:674) > > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi nt.java:1500) > > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint .java:1456) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j ava:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java:617) > > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr ead.java:61) > > at java.lang.Thread.run(Thread.java:745) > > > and then VA test results show that HSTS is not configured. It looks like "VA test" has a broken client: it's not issuing a valid HTTP request. > Please note that we followed the above steps for tomcat on windows > and every thing is absolutely fine and even results of VA test > don't contain HSTS information. Any help is greatly appreciated. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla5810ACgkQ9CaO5/Lv0PATwACgmXpTJ6AmI1USQqQDm42s13we W1gAniTXh/dufrGmkM5/pJ2GnNu6divo =50QF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HSTS missing from HTTPS server on tomcat 8.0.27
Am 09.02.2016 um 15:10 schrieb Christopher Schultz: > On 2/9/16 6:28 AM, dku...@ccilindia.co.in wrote: > > > and then VA test results show that HSTS is not configured. > > It looks like "VA test" has a broken client: it's not issuing a valid > HTTP request. Just to make sure it's not the most obvious things that we're missing here: HSTS headers /only/ make sense on HTTPS connections, never on HTTP connections. Also, they'll only work when using the default ports 80 and 443, as any HSTS-redirect will happily rewrite access to http://www.example.com:8080/ to https://www.example.com:8080/ - and this might easily result in protocol errors as you now no longer "speak" HTTP on port 8080, but HTTPS. Please confirm that * You're running on ports 80 and 443 * You're expecting the HSTS header purely on https connections * You're not using ports 8080 and 8443 or any other non-80 and non-443 port Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
HSTS missing from HTTPS server on tomcat 8.0.27
Hi, We are unable to fix the vulnerability of "HSTS missing from HTTPS server" on apache tomcat 8.0.27 while running on unix operating system. Below is the system configuration: OS Name: HP-UX OS Version:B.11.31 Architecture: IA64N Java Home:/opt/java8/jre JVM Version: 1.8.0.04-hp-ux-b2 JVM Vendor: Hewlett-Packard Company We have uncommented the httpHeaderSecurity in the filter tag of conf/web.xml file, but still the vulnerability exists. We have also tried with apache tomcat 8.0.30, but in vain. Any help to fix this vulnerability is appreciated. Thanks & Regards Deepak Kumar "Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."
RE: HSTS missing from HTTPS server on tomcat 8.0.27
Hello! Missing HSTS is not a vulnerability, as Mark pointed out, it is a feature. In your web.xml httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter hstsEnabled true hstsMaxAgeSeconds 31536000 hstsIncludeSubDomains true true This will NOT activate HSTS for your application, you will need to add this mapping as well (edit to needs and add to application): httpHeaderSecurity /* REQUEST Regards, Harrie -Original Message- From: dku...@ccilindia.co.in [mailto:dku...@ccilindia.co.in] Sent: maandag 8 februari 2016 15:50 To: 'Tomcat Users List' <users@tomcat.apache.org> Subject: HSTS missing from HTTPS server on tomcat 8.0.27 Hi, We are unable to fix the vulnerability of "HSTS missing from HTTPS server" on apache tomcat 8.0.27 while running on unix operating system. Below is the system configuration: OS Name: HP-UX OS Version:B.11.31 Architecture: IA64N Java Home:/opt/java8/jre JVM Version: 1.8.0.04-hp-ux-b2 JVM Vendor: Hewlett-Packard Company We have uncommented the httpHeaderSecurity in the filter tag of conf/web.xml file, but still the vulnerability exists. We have also tried with apache tomcat 8.0.30, but in vain. Any help to fix this vulnerability is appreciated. Thanks & Regards Deepak Kumar "Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments." - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HSTS missing from HTTPS server on tomcat 8.0.27
On 08/02/2016 14:49, dku...@ccilindia.co.in wrote: > Hi, > > We are unable to fix the vulnerability of "HSTS missing from HTTPS server" That is a not a security vulnerability. It is a configuration choice. > on apache tomcat 8.0.27 while running on unix operating system. Below is > the system configuration: > > OS Name: HP-UX > OS Version:B.11.31 > Architecture: IA64N > Java Home:/opt/java8/jre > JVM Version: 1.8.0.04-hp-ux-b2 > JVM Vendor: Hewlett-Packard Company > > We have uncommented the httpHeaderSecurity in the filter tag of > conf/web.xml file, Exactly what have you uncommented? Did you remember to uncomment the filter mapping as well as the filter definition? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Unable to fix the vulnerability of " HSTS missing from HTTPS server" on tomcat 8.0.27 running on unix .
Hi , We are unable to fix the vulnerability of " HSTS missing from HTTPS server" on apache tomcat 8.0.27 running on unix . We found the solution for the same by enabling httpHeaderSecurity filter in conf\web.xml file, tag and it works absolutely fine for tomcat 8.0.27 on windows, but the same change on Tomcat 8.0.27 on UNIX, doesn't fix the vulnerabiltiy. The only significant difference we found in tomcats running on unix and windows Tomcat running on windows has JDK 8 installed and tomcat running on unix has JDK 1.7.0.04. Is this reason hampering the fix to the vulnerability. If not what is the solution for this. Any help is greatly appreciated. Thanks & Regards Deepak Kumar "Disclaimer and confidentiality clause - This message and any attachments relating to official business of CCIL OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original addressee only. The message may contain information that is confidential and subject to legal privilege. Any views expressed in this message are those of the individual sender. If you have received this message in error, please notify the original sender immediately and destroy the message and copies thereof and any attachments contained in it . If you are not the intended recipient of this message, you are hereby notified that you must not disseminate, copy, use, distribute, or take any action in connection therewith. CCIL cannot ensure that the integrity of this communication has been maintained nor that it is free of errors, viruses, interception and/or interference. CCIL is not liable whatsoever for loss or damage resulting from the opening of this message and/or attachments and/or the use of the information contained in this message and/or attachments."